iTop is a CMDB/ITSM web platform with extensible data model and profile-based permissions. The key security controls are profile hardening, extension governance, and secure integration boundaries.
¶ 1) Restrict profiles and portals by operational role
iTop uses profiles to define who can read/update configuration items, tickets, and administration settings.
Required controls:
- grant
Administrator profile only to platform maintainers
- create separate profiles for service desk, CMDB editors, and read-only consumers
- review profile assignments after team changes
¶ 2) Secure extension and datamodel customization pipeline
iTop supports extensions and datamodel customization, which can alter workflow and data access behavior.
Change controls:
- version-control all custom modules and datamodel XML
- test extension compatibility/security in staging before production
- block direct ad hoc edits on production filesystem
¶ 3) Harden web deployment and installer artifacts
iTop is usually deployed on Apache/Nginx + PHP + MySQL/MariaDB.
Hardening baseline:
- enforce HTTPS and secure session cookies
- keep installer/setup artifacts inaccessible after installation
- deny web access to configuration and backup directories
¶ 4) Protect synchronization and import channels
iTop often ingests data from discovery/inventory systems.
Integration controls:
- use dedicated import accounts with minimum privileges
- constrain import source addresses and credentials
- audit reconciliation rules to prevent accidental CI overwrite
¶ 5) Backup strategy including attachments and custom modules
Operational policy:
- back up DB,
conf/, custom modules, and attachments together
- run restore drills that validate CI links and ticket history integrity
- monitor upgrade advisories and patch in staged rollout windows
- iTop official documentation portal: https://www.itophub.io/wiki/
- iTop source repository: https://github.com/Combodo/iTop
- Combodo product/documentation entry: https://www.combodo.com/itop-193
Any questions?
Feel free to contact us. Find all contact information on our contact page.